CloudWise implements a three-tier security model that follows AWS Well-Architected Framework principles and industry best practices for multi-tenant SaaS applications.
1. Your Account Role: CloudWiseCostAccessRole - Created in your AWS account
2. CloudWise Service Role: cloudwise-customer-access-service-role - Intermediate security layer
3. Lambda Execution Role: Minimal permissions for CloudWise functions
Each role can only assume the next level - no direct access to your resources
513158236564cloudwise-cost-access-2025CloudWiseCostAccessRole{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CostExplorerAccess",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"cur:GetUsageReport",
"ce:GetCostCategories",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansCoverage",
"ce:ListCostCategoryDefinitions",
"ce:DescribeCostCategoryDefinition",
"ce:GetRightsizingRecommendation"
],
"Resource": "*"
},
{
"Sid": "OrganizationsAccess",
"Effect": "Allow",
"Action": [
"organizations:ListAccounts",
"organizations:DescribeOrganization"
],
"Resource": "*"
},
{
"Sid": "CloudWatchMetricsAccess",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics"
],
"Resource": "*"
},
{
"Sid": "PricingAccess",
"Effect": "Allow",
"Action": [
"pricing:GetProducts",
"pricing:DescribeServices",
"pricing:GetAttributeValues"
],
"Resource": "*"
},
{
"Sid": "WasteDetectionReadAccess",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeAddresses",
"ec2:DescribeNatGateways",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeImages",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeDBSnapshots",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeReplicationGroups",
"lambda:ListFunctions",
"lambda:GetFunctionConfiguration",
"s3:ListAllMyBuckets",
"s3:GetBucketLifecycleConfiguration",
"s3:GetBucketTagging",
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"redshift:DescribeClusters",
"es:ListDomainNames",
"es:DescribeElasticsearchDomain",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"sagemaker:ListEndpoints",
"sagemaker:DescribeEndpoint",
"sagemaker:ListNotebookInstances",
"efs:DescribeFileSystems",
"efs:DescribeMountTargets",
"neptune:DescribeDBClusters",
"neptune:DescribeDBInstances",
"docdb:DescribeDBClusters",
"docdb:DescribeDBInstances",
"mq:ListBrokers",
"mq:DescribeBroker",
"fsx:DescribeFileSystems",
"qldb:ListLedgers",
"qldb:DescribeLedger",
"kafka:ListClusters",
"kafka:DescribeCluster",
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListServices",
"eks:ListClusters",
"eks:DescribeCluster",
"cloudfront:ListDistributions",
"secretsmanager:ListSecrets",
"kms:ListKeys",
"kms:DescribeKey",
"workspaces:DescribeWorkspaces",
"lightsail:GetInstances",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"glue:GetJobs",
"glue:GetDevEndpoints",
"states:ListStateMachines",
"apigateway:GET",
"route53:ListHostedZones",
"elasticbeanstalk:DescribeEnvironments",
"ecr:DescribeRepositories",
"ecr:ListImages",
"logs:DescribeLogGroups",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault"
],
"Resource": "*"
}
]
}Security Note: This role will trust CloudWise's service role, not just the account. This implements defense-in-depth security.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::513158236564:role/cloudwise-customer-access-service-role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cloudwise-cost-access-2025"
}
}
}
]
}Search for and attach the following policies:
Click "Next" when all policies are selected.
arn:aws:iam::513158236564:role/cloudwise-customer-access-service-role513158236564cloudwise-cost-access-2025CloudWiseCostAccessRole (case-sensitive)If you continue experiencing issues, please contact our support team with: